Data exfiltration is the unauthorized transfer of data. Sometimes referred to as data extrusion, data exportation, or simply data theft, data exfiltration can be performed by a person or an malicious program with access to a computer or system. Bad actors that perform this act can be motivated by a variety of reasons. It can be an employee with a grievance with the employer. A foreign government agency for the purpose of espionange or policitcal influence. A group of hackers for the purpose of financial gain.
There are a vareity of methods data can be exfiltrated from an organization. This includes FTP, VPN, SQL injection, and malware. For the purpose of this article, we'll focus on mitigating data exfiltration by an employee, contractor, or an individual that have physical access to your company's computer. This mitigation technique makes use of Windows Server GPO to push out this restriction. The USB ports on desktops and notebooks can be disabled to prevent data transfers. If your organization does not use USB external storage media, as with some of our clients, implementing this will have no adverse effect on business operations. Using Windows Server with Active Directory set up, this is easily implemented through GPO by following the steps below:
GPO: USB Restrictions
Navigate to Setting: Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access
Set the following options as indicated:
- Removable Disks: Deny execute access: Enabled
- Removable Disks: Deny read access: Enabled
- Removable Disks: Deny write access: Enabled
Upon the your employee's next network login, this change will be pushed out and USB ports will no longer be used for data transfer. It should be noted that this implementation will continue to allow the USB ports to be used as a USB charging port. Additionally, this particular GPO change does not affect your ability to use USB devices such as keyboards, mice, and audio headsets.
Obviously, if your company does require the use of USB storage devices for business functions, pushing this out company-wide will not be feasible. In this case, perhaps a hybrid approach can be employed. Depending on usage, an option is to exclude a well defined handful of computers from this GPO setting. Or, designate one computer to have USB data transfer capability and assign a designee as a "data transfer official" to perform file transfers to and from a USB device for your employees.
Whether you implement this or not and how you implement it will be dependent on your organization's tolerance to this kind of risk. If your organization is required to comply with regulations, such as PCI and HIPAA, then it is worth serious consideration. If you have a remote workforce with company notebooks where you do not have full oversight, implementing this GPO can help your organization reduce this risk. Using HIPAA as an example, fines and penalties are hefty if you have unauthorized and unintended disclosure of ePHI. As some of you have heard before, security and convenience is a dichotomy. You cannot have one without sacrificing the other.